Re: [j-nsp] (d)DoS handling

From: Jesper Skriver (jesper@skriver.dk)
Date: Mon Apr 09 2001 - 07:35:02 EDT


On Mon, Apr 09, 2001 at 01:45:38AM +0200, Dmitri Kalintsev wrote:
> On Fri, Apr 06, 2001 at 03:17:13PM +0200, Jesper Skriver wrote:
> > On Fri, Apr 06, 2001 at 05:53:53AM +0200, Dmitri Kalintsev wrote:
> >
> > > By the way, does Juniper have an analog of ip verify reverse-path unicast?
> >
> > Not currently to my understanding, we are in the process of opening a
> > feature request on this ...
>
> Uhm, what are you requesting? Pure uRPF

Yes, pure RPF.

> or extended one, with the ability to
> choose between matching the interface and ignoring it but rather checking
> prefix routability in principal? Extended case would be so much more useful,
> as not many people would use M series as a distribution layer router. ;)

You cannot do RPF where you risk having asymmetric routing, and I don't
like dropping all packets from a source not in the routing table.

We here allow rfc1918 sources by choice, as dropping them will cause
pMTUd problems when the link with the smaller mtu use rfc1918 addresses,
and there are such links out there in the world, even though we don't
use them ...

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager   @ AS3292 (Tele Danmark DataNetworks)
Private: FreeBSD committer @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them.



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT